On Wed, 7 Apr 2004, Chris Shiflett wrote: > --- Christian Schneider <[EMAIL PROTECTED]> wrote: > > I decided to say "If X knows the session ID of User A then he _is_ A". > > This isn't a good approach, but you can bring this up on php-general to > discuss why. I'm sure plenty of people will be happy to discuss it. > > > (Side note: I use my own random/MD5-based session IDs which should be > > hard to guess).
PHP's generated from remote ID, process id, time and some randomness; and then MD5'ed. That's 'better' then your random/MD5 based approach as it's even less likely to result in collisions. regards, Derick -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php